Q5: Why should U.S.-based organizations participate in the EU-U.S. Privacy Shield Framework in light of the CJEU’s Schrems II decision?
  • Organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.
  • The July 16, 2020 decision by the CJEU does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. On August 5, 2020, former Federal Trade Commission (FTC) Chairman Joseph Simons noted with reference to the July 16, 2020 decision by the CJEU that “We stand ready to support the administration’s efforts in this area, but at the same time we will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.”
  • Once the EU-U.S. DPF Principles enter into effect, organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles and wish to enjoy the benefits of participating in the EU-U.S. DPF will have to comply with the EU-U.S. DPF Principles.
  • The Department will continue to provide timely updates on the status of the EU-U.S. DPF as a basis for transfers of EU personal data to the United States. 

Q6: Have the requirements regarding re-certification under the EU-U.S. Privacy Shield Framework changed in light of the CJEU’s Schrems II decision or the Executive Order?
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List.
  • Organizations continue to be required to re-certify annually if they wish to remain on the Privacy Shield List. Please see the guidance on how to re-certify to Privacy Shield for additional information on the re-certification requirements, including the requirement to provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual and the requirement to contribute to a fund to cover the arbitral costs as described in Annex I to the EU-U.S. Privacy Shield Framework Principles. 
  • Organizations continue to be required to pay an annual processing fee to the ITA in order to participate in the EU-U.S. Privacy Shield, as the cost recovery program supports the administration and supervision of the Privacy Shield program. The annual processing fee is generally not refundable.

Q7: Have the requirements regarding withdrawal from the EU-U.S. Privacy Shield Framework changed in light of the CJEU’s Schrems II decision or the Executive Order?
  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for withdrawal from the Privacy Shield and maintaining both the Privacy Shield List and a record of organizations that have been removed from the Privacy Shield List.
  • Organizations may withdraw from the EU-U.S. Privacy Shield at any time; however, they must meet ongoing requirements related to data received under the EU-U.S. Privacy Shield and must remove from their websites, privacy policy statements, and any other public documents any representations that could be construed as claims that they participate in or comply with the EU-U.S. Privacy Shield. Please see the EU-U.S. Privacy Shield Framework Principles and the guidance on withdrawal from the Privacy Shield for additional information on the withdrawal requirements, including the requirement to complete and return to the ITA a withdrawal questionnaire to verify what the organization will do with the personal information that it received while participating in the EU-U.S. Privacy Shield, and if personal information will be retained who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.